From nobody Fri Mar 29 11:36:53 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mout.gmx.com (mout.gmx.com [74.208.4.200]) by lists.alpinelinux.org (Postfix) with ESMTP id 7BDD65C4C64 for ; Tue, 15 Aug 2017 02:59:07 +0000 (GMT) Received: from [191.191.253.126] by 3c-app-mailcom-lxa14.server.lan (via HTTP); Tue, 15 Aug 2017 04:59:06 +0200 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Message-ID: From: "Tmp File" To: alpine-dev Subject: [alpine-devel] ABUILD checksums verification Content-Type: text/plain; charset=UTF-8 Date: Tue, 15 Aug 2017 04:59:06 +0200 Importance: normal Sensitivity: Normal X-Priority: 3 X-Provags-ID: V03:K1:J27Lf6J4bgeQMq/XDf3kpOZdFjROuSlEOp42h+ObOZQ MecRA4sL/wG5TBJ3/xxWK5Jztun/gpb43JHm2Oaw80LJpsHY5s cTBojdypmRoLfQWPN0yl/v+ccOx35jn4sfXw4b703jw1F5es7P cUoiaR9Xudjx+yj/qRN9O5QoctRim1lFhH8ebRXfUVkpF/4Pp5 +hx1iTkwlW9m4TwHccsSmAbH0FS66qG6BLgsaIYZbhCvd4+daE LP+5VYpq94vRcDoxpaJy7NjsFlb0trXwfLIe8q1s+1PfOvRBB0 2T+h+E= X-UI-Out-Filterresults: notjunk:1;V01:K0:5uQBWbOhmUQ=:owUSapeucEWnXWA24j/e8l nfRNoxSF40xBZQfeTZj1LiT38dKGOzFa881vCMEk0SxYJs525Cdo8uSSicqXpZhfwyYbJwwwc zsA25NDoiBheXpG03KHDshXPajOBVpMDKwHIbtiIKQL71dTSo90+k+j7cVWuCzNCYAd+7rUIp JaHALnEEIfaX3W0oLz5jeGmnfcChFAPlmZMZCfGLgKNOWE+LRpb/CmSuNjKytSdMZRS179MNc awYZMhVyicZg0uT28njqU4EpH2Y6zjOKYARIhNIibZFOLW5LI9IqLHxVTGpfwJlAuEZSR1Wxo xWqFAzaVP+5f52LXyuM0x0EOuaFxfgGVbVr87iTASiZVMVZTb5geaQtQNrOmywpBGlgaI8y65 V75crWFwE5fcYjfjW2eTRDdiH1/bxXIWRV5eC3hvsJ/jOz0BYeUXeeCNyoRoob9LLhSgxkcfL fmo+SVp9x4KrMPoGjTLR5xWRIOJ5d5bDk9FTb+93ng9gt/aIzbMq Hello Alpinists. I thought abuild refused to build packages in case the sha512sum was absent or wrong. So when I noticed a commit that pushed a package with no sha512sum I expected it to fail. https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0 But to my surprise the package was built! It can now be found on the official repository. If the sha512sum is being ignored and any package is being built and distributed... this sounds like security issue. If I made any mistake please clear up. But as I understand right now py-redis was built and distributed without verification of sha512sum. tmpfile. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 11:36:53 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-pg0-f48.google.com (mail-pg0-f48.google.com [74.125.83.48]) by lists.alpinelinux.org (Postfix) with ESMTP id 7126A5C44CA for ; Tue, 15 Aug 2017 03:03:21 +0000 (GMT) Received: by mail-pg0-f48.google.com with SMTP id v189so59034611pgd.2 for ; Mon, 14 Aug 2017 20:03:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=RO2PS5vbBMuzG48YmOVAC/MH9QqYe5myFpWjZ9ZETaw=; b=uev2HV/YdC81bpQIXJqogkDxqrVD9IGFEjWmmaqzLFFS3SLhr9D+O5K8vGkYlKa8Vx ZfVrZm2nF9Y8C1B0i8d8lcq9QPJz/JpPJaGSSYkCLddGtx2vafASmqFcYFMT3m5VeOcy Wme94lKL5zSxCP93IrfP5Wlp1LLtmrXQ4vYWOcPzeHkUSeJK1VyDVds8hPa9b/cX+nti Nid7o2OzyFzBTUIz0pe82rh7nu0oQpaPe6xZ6VDEsQMKdY9kBlQAx0dQuVr4hkhAsWy/ u6Vh1ScH71pB6xEBslk15p8mFSyrWxP49YGuTjHOk9lDfodskfCd361D3VTcqD1vFpPD LSfA== X-Gm-Message-State: AHYfb5gAu83hym9bbCr/t7nm6MDBCouQHFvliKd9OK6V2MgQlgLRT/IO DnFC0eVtLYClnLfn+owMwEdbQ+oYcQ== X-Received: by 10.84.160.226 with SMTP id v31mr29090470plg.91.1502766200781; Mon, 14 Aug 2017 20:03:20 -0700 (PDT) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 References: In-Reply-To: From: Kiyoshi Aman Date: Tue, 15 Aug 2017 03:03:10 +0000 Message-ID: Subject: Re: [alpine-devel] ABUILD checksums verification To: Tmp File , alpine-dev Content-Type: multipart/alternative; boundary="94eb2c14847e9403700556c2052b" --94eb2c14847e9403700556c2052b Content-Type: text/plain; charset="UTF-8" Hi, This is not a problem as the file includes an md5sum, which is still checked. On Mon, Aug 14, 2017 at 9:59 PM Tmp File wrote: > Hello Alpinists. > > I thought abuild refused to build packages in case the sha512sum was > absent or wrong. > So when I noticed a commit that pushed a package with no sha512sum I > expected it to fail. > > https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0 > But to my surprise the package was built! > It can now be found on the official repository. > If the sha512sum is being ignored and any package is being built and > distributed... this sounds like security issue. > > If I made any mistake please clear up. > But as I understand right now py-redis was built and distributed without > verification of sha512sum. > > tmpfile. > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > --- > > -- -- Kiyoshi Aman --94eb2c14847e9403700556c2052b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

This is not a problem as the file i= ncludes an md5sum, which is still checked.

On Mon, Aug 14, 2017 at 9:59 PM Tmp File <tmpfile@mail.com> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex">Hello Alpinists.

I thought abuild refused to build packages in case the sha512sum was absent= or wrong.
So when I noticed a commit that pushed a package with no sha512sum I expect= ed it to fail.
https://github.= com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0<= br> But to my surprise the package was built!
It can now be found on the official repository.
If the sha512sum is being ignored and any package is being built and distri= buted... this sounds like security issue.

If I made any mistake please clear up.
But as I understand right now py-redis was built and distributed without ve= rification of sha512sum.

tmpfile.


---
Unsubscribe:=C2=A0 alpine-devel+unsubscribe@lists.alpinelinux.or= g
Help:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0alpine-devel+help@lists.alpineli= nux.org
---

--
-- Kiyoshi Aman
--94eb2c14847e9403700556c2052b-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 11:36:53 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mout.gmx.com (mout.gmx.com [74.208.4.200]) by lists.alpinelinux.org (Postfix) with ESMTP id 3802B5C44CA for ; Tue, 15 Aug 2017 03:04:07 +0000 (GMT) Received: from [191.191.253.126] by 3c-app-mailcom-lxa14.server.lan (via HTTP); Tue, 15 Aug 2017 05:04:06 +0200 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Message-ID: From: "Tmp File" To: alpine-dev Subject: Re: [alpine-devel] ABUILD checksums verification Content-Type: text/plain; charset=UTF-8 Date: Tue, 15 Aug 2017 05:04:06 +0200 Importance: normal Sensitivity: Normal In-Reply-To: References: X-UI-Message-Type: mail X-Priority: 3 X-Provags-ID: V03:K1:Zg/mJYM/Vbl7HH6ztspabiqef+ZbRsCVhZs1TLavabz h920eNLVH7sWKgTGh/IquPf2x8MDS7wmyJPrPDMQf8mE3s5kcX Ic67+C2CWWguxSsSQy+7uAkJ22CjIjWFdH/8beTnyypf/OKktB xp80VxQZZMGLm53ECz8IWd8rmLBW851cag0eUvrLSS5S2JhIRZ S3lXyZe4Myez4BnOuWAx+FxlTlcTNJfRt9o1id33YfF2n7jdRm 9qWvyr2xPWXuIW7kPf61GU4njskjcYihivJ4BqFuB1nBahlgEo s41vn0= X-UI-Out-Filterresults: notjunk:1;V01:K0:ghYp9vaerYo=:Ox/fYppqpa/KVgbTNNDxAP Mwm/41QawZHESHaE/YlbLFtjFqkRWbNM9X2RArYsY0CFfeeQVJS6/hngxiby1LaH0tlTHGN9+ AjdPM2rNFjJ8H7OGogaO8IRR91Vm3QjIsLAbOvc9AClLwAMICFBckXIhqOcFOuI+JfJiB62tl jkaSrE6bXHxutQuqCJ1bRIbZZKSvEslLVrP62EK8BiIQzplrG4I4KQYhfPxgCXfVlxOUEPzE3 QfL3C5a2Wo15yI8D9hjSKZG2IHNuxMcgix7nRKiOR5OF0QzEQYELukCkYYvdgYaoO6pxlg050 TUZnPjW6b0efirFsxIIOrF6ir+ocblhUob0yiIBCKvDTd47vymKxb7eQ+dH7W2jFv1qtgGBlo xRZ02OGav29JWJ/wf/VB+pvn66dRxZTPUTdro7W91UKPCq+r6dJ5uPxZiEYHE+TqVL7H0mMMB hURjqdo8eUti1WqSm/3AsYPz7kVIy5o/DPMfyu8bRFVSvsJFthFa Just after sending the email I realized my mistake. It happens that py-redis *does* have valid sha512sum but the commit was truncated above it (just after md5sum). I'm ashamed of this mistake and for causing trouble over nothing. Sorry Alpinists. > Sent: Monday, August 14, 2017 at 11:59 PM > From: "Tmp File" > To: alpine-dev > Subject: [alpine-devel] ABUILD checksums verification > > Hello Alpinists. > > I thought abuild refused to build packages in case the sha512sum was absent or wrong. > So when I noticed a commit that pushed a package with no sha512sum I expected it to fail. > https://github.com/alpinelinux/aports/commit/ea042a80dc99d3399dccbd8782041fda178aeab0 > But to my surprise the package was built! > It can now be found on the official repository. > If the sha512sum is being ignored and any package is being built and distributed... this sounds like security issue. > > If I made any mistake please clear up. > But as I understand right now py-redis was built and distributed without verification of sha512sum. > > tmpfile. > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > --- > > --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---